Editing /etc/sudoers to manage sudo rights for users and groups

In some environments, it may be desirable to give users admin rights while restricting those users from being able to run commands with root privileges while using the command line.

A way to achieve this “admin user in the GUI, standard user on the command line” method is to edit the /etc/sudoers file. This is the configuration file referenced by the sudo command line tool, which allows a user with the correct sudo rights to execute a command with root privileges, or using another user account’s privileges.

By default, all user accounts with admin rights on both OS X and macOS have full rights to use the sudo tool. By removing those accounts’ rights for sudo from the /etc/sudoers file, user accounts with admin rights will not be able to run commands with root privileges using the sudo tool. For more details, see below the jump.

Editing /etc/sudoers

To edit the /etc/sudoers file safely, make sure to use the visudo utility. This application will do a sanity check on your changes to /etc/sudoers before putting them into production.

By default, visudo uses vi as its text editor. If you want to use an alternative text editor, this can be achieved by setting the EDITOR environment variable to an alternate value, then launching visudo.

Alternatively, if you want to use the nano editor (also known as pico), run the following command with root privileges:

EDITOR=nano visudo

Removing the admin group’s entry from the /etc/sudoers file

To remove the sudo rights for all users with admin privileges, use the procedure below:

1. Use visudo to access the /etc/sudoers file2. Navigate to the User privilege specification section.

In that section, you should see a line like this:

%admins ALL=(ALL) ALL

The % symbol indicates that a group is being referenced; in this case the group named admin. Members of the admin group are the ones granted admin rights, so commenting out or removing this entry means that members of that group will no longer have rights to use the sudo tool.

3. To remove the entry for the admin group, you can take either of the following actions:

A. Comment out that line

B. Delete the line

Note: Make sure to leave the following entry intact and unedited:

root ALL=(ALL) ALL

Deleting that entry would mean that not even the root user would be able to use the sudo tool.

Adding entries to the /etc/sudoers file

After removing the entry for the admin group from the /etc/sudoers file, you may want to add additional entries for specific users or groups. For example, you may not want to grant sudo rights to all admin users but you do want to grant them to the local admin account and the primary user of the Mac in question. In this case, we’re assuming that the local admin and the primary user have the following accounts:

Local admin account: adminPrimary user’s account: username

Adding the following entries to the /etc/sudoers file would allow you to give full sudo rights to the admin and username accounts:

admin ALL=(ALL) ALL
username ALL=(ALL) ALL

Once the desired edits have been made, save the changes.

The new permissions will take effect immediately after the changes have been saved.

You might also want to add the following line to the sudoers file:
Defaults tty_tickets

By default, invoking sudo maintains the session for 15 minutes, which means that you do not have to enter the password again within that time. However, this is not bound to subsequent Terminal windows/tabs, which means that your session could be hijacked by an attacker. Adding this line will make sure that the sudo session is limited to the same console.